Описание
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-golang-x-net | fixed | 1:0.27.0-2 | package | |
| golang-golang-x-net | no-dsa | bookworm | package | |
| golang-golang-x-net | postponed | bullseye | package |
Примечания
https://go-review.googlesource.com/c/net/+/637536
https://github.com/golang/go/issues/70906
https://pkg.go.dev/vuln/GO-2024-3333
https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ
Fixed by: https://github.com/golang/net/commit/8e66b04771e35c4e4125e8c60334b34e2423effb (v0.33.0)
POC: https://github.com/golang/go/issues/70906#issuecomment-2557719304
Связанные уязвимости
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
